Users in India suddenly can't connect to SSL VPN

I recently set up a SSL VPN on a brand new Fortigate 40F, using SSO linked to our Azure AD. Most of our users are connecting from the US, but we have a few users in India as well. Everything was working great last week, but on Monday suddenly the Indian users couldn’t connect. The client kind of acts like it’s connected, but doesn’t show the info you’d normally see, like the IP address, username, etc. Pic attached at the bottom of the post. When they connect it never asks them to sign in, even when we delete the connection and create a new one. I even tried revoking MFA sessions and it still acted like it automatically signed them in, no prompt to enter credentials and no MFA push notification. I even see an “active” session in the status screen of the Fortigate, but no traffic is being forwarded (it’s a full tunnel).

Anyone have any idea what may be causing this issue? I’m new to using Fortigate.

883×703 11.7 KB

Look for geoblocking in policies.

I forgot to come back with an update, upgrading to a newer version of forticlient resolved the issue. Seems 7.0.3 and up will work properly.

Check debug output: diag debug sslvpn; diag debug enable

Any Conditional Access policies in Azure AD that prevent the login based on location?

We’re having the same issue. Have you resolved it?

I forgot to mention in the OP that I originally had it locked down to only USA and India, but I set it back to allow access from any host and that had no effect.

No, but I was able to narrow the cause down to the tunnel negotiation timing out. I had to put this issue on a back burner for a while, but will be driving back into it next week.

It’s strange that it’s only users in India we have this issue with, and to my knowledge is affecting all (about 10)of them.

Did you ever figure out this issue?

Nope. All I’ve been able to determine is that the handshake to negotiate the tunnel is timing out. I tried setting the login timeout and dtls timeout values to their maximum but that didn’t have any effect. Not that I thought the login timeout would change anything since I’d already confirmed the authentication was successful, but I figured why not try it.

Well, that’s a bummer… Dealing with this right now and fortinet doesn’t seem to have an answer yet. Are you using forticlient 7.0.x?

Yep, the free version so no support from Fortinet.

So it looks like there might be a solution. I tested with a few users and we were successfully able to leverage MFA again for users in asia. Turns out this is a client bug and fortinet helped me troubleshoot this. Go grab the 7.0.3 version of the client and install it. You’ll need to get it from the support site instead of fortinet.com

One thing they suggested was to DL the microsoft uninstaller tool to completely remove the forticlient. Both test users i did, did not require this step. A normal uninstall works just fine.

Thanks for following up! I’ll try this once I’m back at work next week.